top 10 in 2019: considerations for impactful internal ...— preventing loss of intellectual...

kpmg.com

Considerations for impactful internal audit departments

KPMG Internal Audit:

Top 10 in 2019

© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 819099

Top 10 in 20191. Intelligent automation Page 2

2. Data insights

3. Technology transformation Page 4

4. Cybersecurity Page 5

5. Compliance and regulations Page 6

6. Distributed enterprise Page 8

7. Culture risk Page 9

8. Corporate responsibility Page 10

9. Anti-bribery/anti-corruption Page 11

10. Workforce demographics Page 12

As companies continue to navigate rapidly changing business models, regulatory requirements, technology disruption, and more, the opportunity for Internal Audit (IA) to identify and help companies respond to risks is ever-increasing. In fact, IA can play an important role in helping organizations manage the risk environment while also making progress on strategic and growth priorities. To provide the greatest value, IA must find opportunities to challenge the status quo to reduce risk, improve controls, and identify potential efficiencies and cost benefits across the organization.

To help IA functions achieve these goals, we present KPMG Internal Audit: Top 10 in 2019, which outlines areas where IA should focus so it can effectively add value across the organization and maximize its influence on the company.

1KPMG Internal Audit: Top 10 in 2019© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 819099

Intelligent automation

Drivers:

— The digitization of labor is rendering some traditional business operations obsolete.

— Industry leaders are maintaining or ramping up investment in innovation, particularly digital labor.

— Artificial intelligence, cognitive computing, and robotics are among the top technologies that will-drive business transformation going forward.

Intelligent automation—such as robotic process automation (bots), machine learning, and cognitive solutions—is changing the world of business right before our eyes. New technology that both complements and augments human skills has the power to exponentially increase speed, scale, quality, precision, and operational efficiency across organizations. Smart machines now perform activities, and even make decisions, that were previously the domain of humans—and they do it fast, more accurately, and at far greater scale. The days when employees clock in to work just to repeat manual tasks over and over will soon be a distant memory.

Given intelligent automation’s clear benefits and numerous use cases, it’s no surprise that it has become a mission-critical initiative. But when embarking on such an important digital transformation project, companies must remain cognizant of the risks and governance responsibilities associated with intelligent automation and applications. A well-designed risk and governance function helps ensure that intelligent automation programs are properly implemented and that associated risks are effectively identified, evaluated, mitigated or, where appropriate, accepted.

IA has a critical role in an increasingly digital workplace. Properly defined automation program guidelines can help an organization meet its governance, risk, controls, and compliance requirements and prevent damage to relationships with partners, auditors, and regulators, as well as avoid significant fines.

How internal audit can help:

— Integrate governance, risk management, and controls throughout the automation program lifecycle

— Identify opportunities to embed automation-enabled control activities within the impacted business processes

— Capitalize on intelligent automation labor innovations to increase efficiency and effectiveness of internal audit activities

1


Data insights

Drivers:

— Leveraging advanced big data tools and techniques to adapt quickly to rapidly evolving business demands

— Complying with global business and regulatory data requirements

— Leveraging big data technology and methodologies to improve audit quality and precision, reduce audit costs, and expand risk coverage and audit scope

— Enabling real-time identification of risks and remediation of control weaknesses

As companies continue to optimize the value of and insights arising from the tremendous amount of data housed in the business environment, ensuring proper controls around the use and storage of data is critical. Effective data governance enables a top-down, enterprise-wide view of big data. It addresses questions over data ownership and ensures adherence to policies that govern which data is important and how data is created, stored, aggregated, warehoused, analyzed, and used. Data governance is critical to maintaining data privacy and helping the business turn data into insights.

Although IA must maintain an adequate degree of separation from management responsibilities, opportunities exist to work with management to expand the use of data analytics in the business and within the IA process. Those responsible for operations, compliance, and financial reporting have generally increased their use of data analytics in executing their responsibilities. IA can often leverage these platforms or assist in a consulting role to help improve related processes and controls.

Using data to perform analytics in the internal audit process can enable expanded risk coverage and audit scope as well as improve testing precision. Repeatable and sustainable data analytics can help IA simplify and improve the audit process, resulting in higher quality audits, increased value to the business, and more precise control evaluation. By enabling IA to evaluate a greater number of controls, resulting in greater coverage, data analytics can help IA respond to audit committees and stakeholders that are asking them to do more with less.


— Use data analytics to identify current and emerging risks as part of the risk assessment process

— Perform automated auditing focused on root cause analysis and management’s response to risks

— Assist in the formation or review of data governance policies and processes

— Review the data model and points of control, including data classification issues, to identify security gaps

— Assist in creating automated extract, transform, and load (ETL) processes, along with repeatable and sustainable analytics and dashboards, enabling auditing or monitoring against specified risk criteria

2


Technology transformation

Drivers:

— Identifying priority areas for technological transformation

— Maintaining a technology plan that is connected to your current state rather than your desired future state

— Being an IT bottleneck rather than a catalyst for change

— Spending on applications that you don’t need

Too many companies pursue new technological advancements without assessing whether they are right for their business model and customer base. Combined with an inability among many companies to move off of outdated core systems, this approach is more often than not an impediment to growth. Further, technology disruption has had a huge impact on companies that will continue for the foreseeable future. The response may involve some radical rethinking of the overall approach to technology and how effectively companies address customer expectations. An organization’s strategy around technology should be flexible and support the broad business strategy for the next three to five years, but technology should not drive that strategy. That’s the part many companies get wrong.

Another seemingly obvious but often forgotten area to consider in connection with technology is return on investment. What are you spending? What are you getting back? What are the efficiencies? More than ever, companies are being impacted by the rapid pace of digital change. Global and cross-industry collaborations and partnerships are likely going to be crucial. Getting the right mix of talent, capital and entrepreneurial vision to nimbly embrace new technologies is a must for survival.


— Assess whether existing and planned technology initiatives align with overall company strategy

— Integrate governance, risk management, and controls throughout the transformation lifecycle

— Evaluate the company’s project management and governance processes for technology-related initiatives

— Risk assess management’s plans and processes in light of other risks in the organization and ensure transparent communication to the audit committee

3


Cybersecurity

Drivers:

— New and emerging cybersecurity threats and how they affect the entire organization

— Avoiding costly consequences of data breaches such as investigations, legal fines, coverage of customer losses, remediation efforts, loss of executive and mid-level time and focus, and potential loss of customers and business

— The readiness, or lack thereof, of the organization’s cybersecurity program

— Preventing loss of intellectual property and capital and other privileged company information

In today’s world of constant connectivity, cybersecurity is a key focal point for many companies. Cybersecurity frequently appears on the top of many board agendas, and data security breaches now appear to be headline news almost on a weekly basis. Several factors have driven the increased attention paid to cybersecurity issues, including changes in the threat landscape, rapid changes in technology, changing regulatory environments, social change, and corporate change. Additionally, the capabilities and techniques used by hackers are continuously growing and evolving, especially concerning targeting specific information or individuals. New methods are constantly being developed by increasingly sophisticated and well-funded hackers who can target companies not only through networks directly but also through connections with key suppliers and technology partners. The consequences of lapses in security can be disastrous as an organization’s bottom line and reputation are impacted. It is critical that all companies remain vigilant and up to date regarding all the recent protection criteria.


— Review the organization’s cybersecurity risk assessment, processes, and controls, using industry standards as a guide, and provide recommendations for improvements

— Assess implementation of revised technology security models, such as multilayered defenses, enhanced detection methods, and encryption of data leaving the network

— Champion a robust training and education program so that employees play a key role in a comprehensive protection plan

— Assess third-party security providers to evaluate the extent to which they are addressing the most current risks completely and sufficiently

4


Compliance and regulations

5

Drivers:

— Ensuring compliance with a dramatically increasing number of regulations, both domestically and abroad

— Mitigating the increasing costs of complying with this ever-growing number of regulations

— Developing a strategy to lessen the restraining effects of compliance activities on business operations

— Ensuring compliance operations are aligned following a merger or acquisition

Under the current U.S. administration, we are seeing a trend toward less regulation. However, this is being offset globally by an increase in regulations in Europe and China. In this fluid scenario, companies operating internationally must remain focused on maintaining compliance standards to minimize risk.

Worldwide, there is increased focus on regulations pertaining to fraud, cyber and data security, operations, product liability, competition, consumer protection, price controls, and social and environmental considerations. However, while U.S. federal regulations are being rescinded at a feverish pace, state-level actions and litigation against U.S. companies is rising class actions in particular. It goes without saying that litigation is expensive and requires strong internal business controls and experienced legal departments.

A deregulatory policy agenda in the United States does not mean there are fewer regulatory challenges for companies. In 2019, regulators will continue to demand companies pay strict attention to core risk management governance, controls, practices, and reporting—particularly in the areas of cybersecurity, third-party risk management, and conduct and culture. And with consumer privacy and data security high on the list of regulatory priorities, companies may soon see GDPR-like rules, such as the recently passed California Consumer Privacy Act, enacted across the United States.

Continued adoption of automation and emerging cognitive technologies will likely help drive sustainable and effective change across these regulatory challenges.


— Inventory regulatory bodies and requirements affecting the company

— Assess the company’s approach to managing its global compliance activities, including integration of the requirements of acquired companies

— Evaluate the company’s response to any notable instances of noncompliance

— Ensure compliance training programs offered to employees and other stakeholders are appropriate for role and geography


Distributed enterprise6

Drivers:

— Risks associated with an increasing number of third-party relationships, oversight of those relationships, and the risks related to those activities

— Enhancing revenue and cost reduction

— Improving contract and vendor governance

— Creating more effective contractual self-reporting processes

— Preventing or timely detecting risk management failures at third-party business partners

To boost productivity and adapt to changing business models, companies are increasingly relying on third parties to carry out vital business functions, resulting in broadly distributed business models. However, these expanding distributed enterprises open up companies to numerous new risks and potential compliance failures that can lead to fines, lawsuits, operational bans, and reputational damage. Business partners may not mean to do so deliberately, but they can fall short due to the complexity of the environment or their agreements. Often, third parties can have access to the company’s networks, increasing the possibility of data breaches, or companies can be unaware that third parties are employing subcontractors that may be wanting in their business and compliance efforts. Finally, third parties can operate in areas of political uncertainty, exposing contracting companies to further risks. Given all these factors, companies need to ensure they are getting the most benefits from these external relationships while having in place appropriate controls to reduce liabilities.


— Review third-party identification, due diligence, selection, and onboarding processes and controls

— Evaluate contract management processes used by management to track third-party relationships

— Monitor regulatory developments related to third parties

— Enforce and ensure consistency of right-to-audit clauses

— Enforce third-party compliance with the company’s information security standards

— Develop, implement, and calibrate a continuous monitoring system of self-reported data from third-party business partners


Culture risk7

Drivers:

— Heightening regulatory scrutiny and increasing cultural expectations

— Increasingly global organizations with much more varied cultural norms and practices

— Social media outlets and the ability for incidents of misconduct to be widely broadcast

— Stricter governance, oversight, and accountability expectations

Culture risk has gained the attention of company leaders as the cause of many incidents of misconduct that have impacted the public’s trust. Even if a company has a well-defined strategy, if the company culture does not support its execution, success is less likely. Culture can be observed, monitored, and changed over time to mitigate misconduct and encourage strategic behaviors. A broader cultural program, while addressing the specific issues of governance, compliance, and risk management, will also focus on understanding how the organization makes decisions to meet the demands of its various stakeholders, and how these decisions influence culture, both current and desired.


— Conduct an assessment of the organization’s cultural drivers in relation to the organizational norm

— Review the alignment of performance measures to strategy to ensure desired behaviors are being incentivized and rewarded

— Provide assurance regarding the evolution and alignment of the organization’s culture with their compliance activities, as well as their financial objectives and business and operating models

— Surface culture risk through data analytics and third-party audits

— Lead or participate in investigations into matters involving potential misconduct

— Drive continuous improvement through testing and evaluation of the organization’s culture change program


Corporate responsibility

8

Drivers:

— Emerging environmental and social issues, such as climate change, water scarcity, and human rights, increasingly being seen as financial rather than nonfinancial issues

— Increased expectation for companies to be transparent not only about their own performance on corporate responsibility topics, but also about the financial risks and opportunities they face from them and the likely effects on the business’s value creation in both the short and long term

— Rapidly and ever-changing emerging risk environment, including an evolving and increasingly complex regulatory environment

— Increase in mandatory reporting requirements and corporate responsibility commitments

Companies are continuing to face increased stakeholder expectations and regulatory requirements relating to corporate responsibility issues. Businesses today are operating in an ever-more interconnected and globalized world. Issues such as climate change, water scarcity, and human rights are increasingly seen as material risk factors that warrant scrutiny by shareholders, customers, and regulators. The demand of increased transparency and disclosure of information means companies are under growing pressure to produce reliable and accurate information, not only for their own operations, but also for their supply chains. IA has a key role in mitigating the risks and enhancing the opportunities that a sustainability focus brings to an organization.


— Assess the company’s sustainability strategy, its alignment with the company’s corporate strategy, and related risks

— Identify the material environmental and social issues that have the potential to impact the company and its stakeholders

— As demands for corporate responsibility disclosure continue to grow, assess the systems in place to collect, analyze, and disclose the necessary information


Anti-bribery/ anti-corruption

9

Drivers:

— Providing insight to stakeholders regarding the effectiveness of existing ABAC activities

— Identifying emerging regulatory and compliance risk, such as that introduced by organic expansion into new markets, third parties, and acquired businesses

— Preserving the company’s ability to control when it discloses a potential violation to the regulators, if at all

The benefits of an effective anti-bribery/anti-corruption (ABAC) compliance program are clear. It is critical to demonstrate that the organization’s program actively identifies potential issues and initiates remediation measures in a timely manner. The program should include support from senior leadership, clear policies, training, monitoring, and oversight. Policies that spell out prohibited activity, the commitment of executive management, audit clauses in agreements with third parties, and vigilance by compliance personnel can deter bribery and corruption, thereby reducing the risk of costly and disruptive regulatory enforcement activity. Should the unthinkable occur, a well-designed and executed anti-bribery and corruption compliance program may mean the difference between a prosecution and a nonprosecution agreement and may even reduce the amount of monetary fines and penalties levied.


— Undertake an independent review of the ABAC governance framework

— Provide assurance regarding the design and operating effectiveness of the organization’s applicable preventative and detective controls

— Conduct culture audits to evaluate not only the hard controls, but also the soft controls that influence and provide insight into informal norms and behaviors

— Assess the strength of end-to-end third-party management, including due diligence and monitoring practices

— Evaluate due diligence and postdeal integration practices for managing ABAC risk, including review of acquired third-party relationships


Workforce demographics

10

Drivers:

— Aging workforce with a large number baby boomers approaching retirement causing an expected drop in the working population

— Increase in robots and other cognitive technologies working side by side with a human labor force

Knowledge transfer is one of the key elements that enables a company to grow and survive in an increasingly competitive business environment. The information and experience employees gain over the years are of vital importance, especially with the impending retirement of baby boomers. A significant challenge is ensuring that knowledge is being transferred effectively to other employees, in order to guarantee a sustained knowledge level in the organization.

As more and more robots and other cognitive technologies work side by side with a human labor force, leaders are increasingly challenged to integrate and make the most of both kinds of labor. The challenge is significant. HR leaders will need to identify the new skills and capabilities that will realistically be required in the future. Those current employees who are willing to be upskilled and retrained will need to be identified. New talent will need to be attracted, retained, and integrated into the business. Lack of communication with employees may lead to talented people leaving for companies that have transparently addressed the issue. Lastly, competitors may implement a more effective workforce mix leading to greater profitability.


— Perform a comprehensive review of the Human Resources department’s capabilities in light of evolving labor models, including a need for new thinking around behavioral economics, systems, analytics, and consultancy skills

— Discuss with management the company’s future expectations regarding transformation of the workforce and plans to address the coming changes

— Assess the company’s succession planning strategy to ensure critical positions have appropriate attention


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

kpmg.com/socialmedia

Deon MinnaarService Network Leader, Internal Audit & Enterprise RiskT: 212-872-5634 E: [email protected]

Patty BastiPartner, Internal Audit & Enterprise RiskT: 513-763-2499 E: [email protected]

Contact us

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.


http://www.linkedin.com/company/kpmg-us

https://www.facebook.com/KPMGUS/

http://www.youtube.com/user/KPMGMediaChannel

https://twitter.com/kpmg_us

https://plus.google.com/+KPMGUSA/posts

https://instagram.com/kpmgus

top 10 in 2019: considerations for impactful internal ...— preventing loss of intellectual...

Documents